Should my DNS Server use its own IP address as it's primary DNS?

B

bg.graf

New Member
Reaction score
0
trying to figure out a few quirky things with a server I setup for a doctor's office a few months back.

It is setup running the DNS role and it made me wonder if it's NIC should or SHOULD NOT be pointing to itself in the ipv4 network settings. rather, should I have it pointing to googles DNS or my ISP's DNS?? thoughts?
 
Ideally it would point to itself in the network settings for dns.

In the Dns server role setup you should put in the forwarders that the server will use for any dns queries outside the local LAN. So here you can use googles or your ISPs Dns servers.
 
bg.graf said:
trying to figure out a few quirky things with a server I setup for a doctor's office a few months back.

It is setup running the DNS role and it made me wonder if it's NIC should or SHOULD NOT be pointing to itself in the ipv4 network settings. rather, should I have it pointing to googles DNS or my ISP's DNS?? thoughts?
Click to expand...

Pointing to itself - to its IPv4 address NOT loopback.
And then, as cyabro states, set up your forwarders under the DNS role setup.
 
DNS is part of active directory, without it setup and working properly, you active directory will be broken.

A DC MUST look at itself for DNS....you can use its IP...or you can use loopback (since that is itself anyways). Personally I'm of the habit of just using its IP address.

And DHCP MUST hand out the IP of your DC to the clients as the DNS server. NOT the routers LAN, NOT the ISPs DNS servers...but your DCs LAN IP. Workstations that are joined to active directory need to use the DCs IP for their DNS. (or multiple DCs if you have multiple DCs).

You setup your DNS forwarding in DNS MMC...I forward to OpenDNS's servers...for an added layer of protection against malware. Since OpenDNS blocks known malware distribution sites via a constantly updated list. So your client workstations get an added layer of protection while surfing....they cannot download what they cannot resolve.
 
bg.graf said:
trying to figure out a few quirky things with a server I setup for a doctor's office a few months back.

It is setup running the DNS role and it made me wonder if it's NIC should or SHOULD NOT be pointing to itself in the ipv4 network settings. rather, should I have it pointing to googles DNS or my ISP's DNS?? thoughts?
Click to expand...

There're several ways to do it. From a security stand point, you set up two DNS (Private DNS and Public DNS)

The Private DNS is inside the LAN that normally contains Active Directory DNS if you're running Microsoft Servers. Microsoft by default doesn't include root zone. You then point the DNS to itself and forward all other queries to the public DNS. All workstation in the LAN uses your private DNS. Do not load Root Zone.

The public DNS is normally located in the DMZ area or outside the LAN. It should have a Public IP address or a Private IP address that is NAT. This DNS server should be set up with Root Zone. The Public DNS points to itself only. When you register a domain name, you use the public DNS for Name Server. The advantage of having a root zone is you don't depend on other DNS.

Public DNS can run on a slow computer. Most small business has old computers. I normally set up 2 - 4 public DNS for each client.

If you want to provide additional service to your client, then set up a public DNS in your shop/office. Then make it a secondary for all your client public DNS. In case you client internet is down, DNS query will still be available.

I don't recommend loading any other services on the PUBLIC dns for security reasons. Its main purpose should only serve as DNS. Do not allow updates form other DNS. That's why a slow computer with 10/100MB NIC should be sufficient. It is better to set up two public DNS vs a single public DNS with RAID 1. Most of the data is cache that can be created. The DNS record is not normally changed and can easily be back up and restore. If you have a secondary, you don't even need to do a restore if the primary fails. Just replace and configure. It will sync automatically.
Occasionally clear the cache or reboot the public DNS to clear the cache.

There a good book called DNS and Bind. It's been out for over 15 years or but still the best book on DNS. (IMHO)
 
Last edited:
You must log in or register to reply here.

Similar threads

HCHTech
It's always DNS
2
Replies
22
Views
11K
YeOldeStonecat
YeOldeStonecat
HCHTech
Narrowing down a internet issue
Replies
5
Views
1K
YeOldeStonecat
YeOldeStonecat
HCHTech
Managing Unifi equipment
Replies
12
Views
4K
Sky-Knight
Sky-Knight
HCHTech
WAN Failover musings
Replies
11
Views
2K
Sky-Knight
Sky-Knight
tek9
HP Server no network link to Mikrotik router
Replies
10
Views
3K
tek9
tek9
Back
Top